I have rsyslog configured with impstats, forwarding to statsd/graphite, so
I can graph the metrics and monitor them (I have Nagios pulling metrics
from graphite).
I keep meaning to put a blog post together to document this properly, but
here’s a config snippet that gets you the basics. The hard part is
figuring out which queues you want monitored. I’ve only got “main Q”
showing here for brevity but I have a lot more defined.
<snip>
module(load="impstats" interval="10" severity="7" format="cee”)
module(load="mmjsonparse”)
#json format: {"name":"main
Q","size":25,"enqueued":32,"full":0,"discarded.full":0,"discarded.nf":0,"ma
xqsize":25}
template(name="mainQTemplate" type="list") {
constant(value="rsyslog.myhost_example_com.main_q.size:")
property(name="$!size")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.enqueued:")
property(name="$!enqueued")
constant(value="|c|@10\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.full:")
property(name="$!discarded.full")
constant(value="|c|@10\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.nf:")
property(name="$!discarded.nf")
constant(value="|c|@10\n")
constant(value=“rsyslog.myhost_example_com.main_q.maxqsize:")
property(name="$!maxqsize")
constant(value="|g\n")
}
if $syslogtag contains "rsyslogd-pstats" then {
action(type="mmjsonparse”)
#write to file here for debugging.
action(type=“omfile” file=“/var/log/stats.log”)
if $!name == "main Q" then {
action(type="omfwd" Target="127.0.0.1" Protocol="udp" Port="8125"
template="mainQTemplate”)
}
stop
}
</snip>
There is still some wonkiness in the enqueued stat as occasionally it has
an absolutely massive unrealistic spike, I have never tracked down why it
does that, but this should give you a start.
Cheers
mike
--
Michael Hart
Arctic Wolf Networks
M: 226-388-4773
On 2014-11-18, 15:14, "Dave Caplinger" <[email protected]>
wrote:
>Absolutely. Rsyslog has statistics counters via the impstats module; you
>can process the log lines it generates to determine the health of the
>rsyslog instance, including individual queues, drop rates, forwarding
>rates, etc.
>
>See:
>
>http://www.rsyslog.com/rsyslog-statistic-counter/
>http://www.rsyslog.com/how-to-use-impstats/
>
>--
>Dave Caplinger, Director of Architecture | Ph: (402) 361-3063 |
>Solutionary — An NTT Group Security Company
>
>> On Nov 18, 2014, at 6:46 AM, Damian <[email protected]> wrote:
>>
>> Hi,
>> I'm trying to determine whether it's possible to monitor the health of
>>an rsyslog daemon running as a forwarder.
>> ie. If I'm running it as a component in a logging service, how do I
>>check the event rates, or know it's not losing events or queuing
>>incoming data. Are there any 'self-monitoring' events that I can
>>generate and forward from it, in order to keep an eye on its health?
>> Thanks!
>>
>> Damo
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>if you DON'T LIKE THAT.
>
>_______________________________________________
>rsyslog mailing list
>http://lists.adiscon.net/mailman/listinfo/rsyslog
>http://www.rsyslog.com/professional-services/
>What's up with rsyslog? Follow https://twitter.com/rgerhards
>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
